wip: add auth setup

cmd/migrate/main.go

@@ -8,6 +8,7 @@ import (
 	"github.com/zeiss/service-lens/internal/adapters/db"
 	"github.com/zeiss/service-lens/internal/configs"
 	"github.com/zeiss/service-lens/internal/models"
+	"github.com/zeiss/service-lens/internal/utils"
 
 	"github.com/katallaxie/pkg/logger"
 	"github.com/spf13/cobra"
@@ -18,6 +19,18 @@ import (
 )
 
 var seeds = []seed.Seed{
+	{
+		Name: "create teams",
+		Run: func(db *gorm.DB) error {
+			return db.Create([]models.Team{
+				{
+					Name:        "Super Admins",
+					Slug:        "superadmins",
+					Description: utils.StrPtr("Super Admins have access to all features and can manage all resources."),
+				},
+			}).Error
+		},
+	},
 	{
 		Name: "create profile questions",
 		Run: func(db *gorm.DB) error {

docker-compose.yml

@@ -1,6 +1,47 @@
-version: '3.1'
-
 services:
+
+  crdb:
+    restart: always
+    image: cockroachdb/cockroach:latest-v24.1
+    ports:
+      - "26257:26257"
+      - "8082:8080"
+    command: start-single-node --insecure
+    volumes:
+      - "crdb:/cockroach/cockroach-data"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/health?ready=1"]
+      interval: 3s
+      timeout: 3s
+      retries: 5
+
+  migrate:
+    depends_on:
+      crdb:
+        condition: service_healthy
+    image: openfga/openfga:latest
+    container_name: migrate
+    command: migrate
+    environment:
+      - OPENFGA_DATASTORE_ENGINE=postgres
+      - OPENFGA_DATASTORE_URI=postgres://root@crdb:26257/defaultdb?sslmode=disable
+
+  openfga:
+    depends_on:
+      migrate:
+        condition: service_completed_successfully
+    image: openfga/openfga:latest
+    container_name: openfga
+    environment:
+      - OPENFGA_DATASTORE_ENGINE=postgres
+      - OPENFGA_DATASTORE_URI=postgres://root@crdb:26257/defaultdb?sslmode=disable
+      - OPENFGA_LOG_FORMAT=json
+    command: run
+    ports:
+      - "8080:8080"
+      - "8081:8081"
+      - "3000:3000"
+
   db:
     image: postgres
     restart: always
@@ -12,4 +53,4 @@ services:
       - "5432:5432"
 
 volumes:
-  postgres_data: {}
+  crdb: {}

examples/auth.dsl

@@ -0,0 +1,65 @@
+model
+  schema 1.1
+
+type user
+
+type team
+  relations
+    define admin: [user]
+    define can_add_admin: can_add_owner
+    define can_add_editor: can_add_admin or admin
+    define can_add_owner: owner
+    define can_add_viewer: can_add_editor or editor
+    define can_create_environment: editor
+    define can_create_lens: editor
+    define can_create_profile: editor
+    define can_create_workload: editor
+    define can_delete: owner
+    define can_delete_owner: can_add_owner
+    define editor: [user] or admin
+    define owner: [user]
+    define viewer: [user] or editor or admin
+
+type workload
+  relations
+    define admin: admin from team
+    define can_delete: editor or admin
+    define can_read: viewer
+    define can_share: admin
+    define can_write: editor or admin
+    define editor: editor from team or admin
+    define team: [team]
+    define viewer: viewer from team or editor
+
+type profile
+  relations
+    define admin: admin from team
+    define can_delete: editor or admin
+    define can_read: viewer
+    define can_share: admin
+    define can_write: editor or admin
+    define editor: editor from team or admin
+    define team: [team]
+    define viewer: viewer from team or editor
+
+type lens
+  relations
+    define admin: admin from team
+    define can_delete: editor or admin
+    define can_read: viewer
+    define can_share: admin
+    define can_write: editor or admin
+    define editor: editor from team or admin
+    define team: [team]
+    define viewer: viewer from team or editor
+
+type environment
+  relations
+    define admin: admin from team
+    define can_delete: editor or admin
+    define can_read: viewer
+    define can_share: admin
+    define can_write: editor or admin
+    define editor: editor from team or admin
+    define team: [team]
+    define viewer: viewer from team or editor